Analysis Overview
SHA256
bbce2762d2cf06a4cbeae8b8eca305986c8ede78877bca908d80d522ac874f40
Threat Level: Known bad
The file bbce2762d2cf06a4cbeae8b8eca305986c8ede78877bca908d80d522ac874f40 was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
SystemBC
Detects Smokeloader packer
Executes dropped EXE
Downloads MZ/PE file
Drops file in Windows directory
Program crash
Suspicious use of UnmapMainImage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-12-20 10:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-20 10:30
Reported
2022-12-20 10:33
Platform
win10v2004-20221111-en
Max time kernel
150s
Max time network
140s
Command Line
Signatures
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
SystemBC
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4527.exe | N/A |
| N/A | N/A | C:\ProgramData\helbkxl\bsjptaw.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\bsjptaw.job | C:\Users\Admin\AppData\Local\Temp\4527.exe | N/A |
| File opened for modification | C:\Windows\Tasks\bsjptaw.job | C:\Users\Admin\AppData\Local\Temp\4527.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\4527.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\bbce2762d2cf06a4cbeae8b8eca305986c8ede78877bca908d80d522ac874f40.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\bbce2762d2cf06a4cbeae8b8eca305986c8ede78877bca908d80d522ac874f40.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\bbce2762d2cf06a4cbeae8b8eca305986c8ede78877bca908d80d522ac874f40.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbce2762d2cf06a4cbeae8b8eca305986c8ede78877bca908d80d522ac874f40.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbce2762d2cf06a4cbeae8b8eca305986c8ede78877bca908d80d522ac874f40.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbce2762d2cf06a4cbeae8b8eca305986c8ede78877bca908d80d522ac874f40.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2532 wrote to memory of 2224 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4527.exe |
| PID 2532 wrote to memory of 2224 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4527.exe |
| PID 2532 wrote to memory of 2224 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4527.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bbce2762d2cf06a4cbeae8b8eca305986c8ede78877bca908d80d522ac874f40.exe
"C:\Users\Admin\AppData\Local\Temp\bbce2762d2cf06a4cbeae8b8eca305986c8ede78877bca908d80d522ac874f40.exe"
C:\Users\Admin\AppData\Local\Temp\4527.exe
C:\Users\Admin\AppData\Local\Temp\4527.exe
C:\ProgramData\helbkxl\bsjptaw.exe
C:\ProgramData\helbkxl\bsjptaw.exe start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2224 -ip 2224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 492
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | dowe.at | udp |
| N/A | 91.195.240.101:80 | dowe.at | tcp |
| N/A | 8.8.8.8:53 | xisac.com | udp |
| N/A | 178.31.8.68:80 | xisac.com | tcp |
| N/A | 178.31.8.68:80 | xisac.com | tcp |
| N/A | 178.31.8.68:80 | xisac.com | tcp |
| N/A | 178.31.8.68:80 | xisac.com | tcp |
| N/A | 178.31.8.68:80 | xisac.com | tcp |
| N/A | 45.141.58.129:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 40.79.189.58:443 | tcp | |
| N/A | 178.31.8.68:80 | xisac.com | tcp |
| N/A | 178.31.8.68:80 | xisac.com | tcp |
| N/A | 178.31.8.68:80 | xisac.com | tcp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 178.31.8.68:80 | xisac.com | tcp |
| N/A | 178.31.8.68:80 | xisac.com | tcp |
| N/A | 178.31.8.68:80 | xisac.com | tcp |
| N/A | 178.31.8.68:80 | xisac.com | tcp |
| N/A | 178.31.8.68:80 | xisac.com | tcp |
| N/A | 178.31.8.68:80 | xisac.com | tcp |
| N/A | 178.31.8.68:80 | xisac.com | tcp |
| N/A | 8.8.8.8:53 | bitleague.live | udp |
| N/A | 198.38.91.55:443 | bitleague.live | tcp |
| N/A | 178.31.8.68:80 | xisac.com | tcp |
| N/A | 178.31.8.68:80 | xisac.com | tcp |
| N/A | 109.205.214.18:443 | tcp |
Files
memory/4072-133-0x00000000005F0000-0x00000000005F9000-memory.dmp
memory/4072-132-0x0000000000669000-0x0000000000679000-memory.dmp
memory/4072-134-0x0000000000400000-0x000000000045F000-memory.dmp
memory/4072-135-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2224-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4527.exe
| MD5 | cdc67700f25eaed1417264c4bdec03d3 |
| SHA1 | 56639e9414e6ee8394d940d62778475ddf071290 |
| SHA256 | fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100 |
| SHA512 | a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038 |
C:\Users\Admin\AppData\Local\Temp\4527.exe
| MD5 | cdc67700f25eaed1417264c4bdec03d3 |
| SHA1 | 56639e9414e6ee8394d940d62778475ddf071290 |
| SHA256 | fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100 |
| SHA512 | a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038 |
memory/2224-139-0x0000000000649000-0x000000000065A000-memory.dmp
memory/2224-140-0x00000000005B0000-0x00000000005B9000-memory.dmp
memory/2224-141-0x0000000000400000-0x000000000045F000-memory.dmp
C:\ProgramData\helbkxl\bsjptaw.exe
| MD5 | cdc67700f25eaed1417264c4bdec03d3 |
| SHA1 | 56639e9414e6ee8394d940d62778475ddf071290 |
| SHA256 | fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100 |
| SHA512 | a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038 |
C:\ProgramData\helbkxl\bsjptaw.exe
| MD5 | cdc67700f25eaed1417264c4bdec03d3 |
| SHA1 | 56639e9414e6ee8394d940d62778475ddf071290 |
| SHA256 | fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100 |
| SHA512 | a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038 |
memory/3448-144-0x0000000000503000-0x0000000000513000-memory.dmp
memory/3448-145-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2224-146-0x0000000000649000-0x000000000065A000-memory.dmp
memory/2224-147-0x0000000000400000-0x000000000045F000-memory.dmp